On Thursday, the US Supreme Court presented Congress with changes in the Rules of Criminal Procedure that will allow judges to issue warrants directed at electronic devices outside their jurisdiction. These changes vastly expand the government's surveillance and hacking power.
Magistrate judges are mostly limited to authorizing search and seizures in their jurisdiction. The changes to Rule 41, requested by the Department of Justice and endorsed by the Supreme Court justices, give judges the ability "to issue a warrant to use remote access to search electronic storage media and to seize or copy electronically stored information located within or outside that district" if the information sought has been "concealed through technological means" or the device has been damaged without authorization and is held in five or more districts.
Compromised computers are considered "damaged" for the purpose of these rules. This definition allows investigators to infiltrate botnets anywhere in the world using a warrant. But the Center for Democracy and Technology (CDT) contends the rule is overly broad because about 30% of the world's computers could be considered "damaged" -- infected with malware -- and thus could be subject to Rule 41 searches.
Among other objections to the changed rules, the CDT has argued that authorizing a search warrant for an unknown location violates the Fourth Amendment requirement that warrants should "[describe] the place to be searched, and the persons or things to be seized."
David Bitkower, Principal Deputy Assistant Attorney General, has defended the constitutionality of the rule change and the utility of adopting the change as a way to deal with anonymization technology. In a Dec. 22, 2014 letter to Judge Reena Raggi, chair of the Advisory Committee on Criminal Rules, he wrote the issue is "whether [search warrants using certain remote search techniques] should as a practical matter be precluded in cases involving anonymizing technology due to lack of a clearly authorized venue to consider warrant applications."
The government use of Network Investigative Techniques, or hacking, as seen in the FBI's recent effort to break into an iPhone used by one of the San Bernardino shooters, has attracted the attention of lawmakers.
In June last year, Senate Judiciary Committee chairman Chuck Grassley (R-IA), wrote a letter to FBI Director James Comey inquiring about government-authorized hacking. "Obviously, the use of such capabilities by the government can raise serious privacy concerns," he wrote, asking for details about FBI policies and procedures when the agency employs spyware. Among the questions he asked was which companies the FBI has impersonated when trying to install spyware through phishing and whether the agency has informed those companies.
US Sen. Ron Wyden (D-OR) issued a statement on Thursday asking members of Congress to reject the government's expanded hacking and surveillance powers. Such significant rule changes should be addressed by Congress, he said.
"Under the proposed rules, the government would now be able to obtain a single warrant to access and search thousands or millions of computers at once; and the vast majority of the affected computers would belong to the victims, not the perpetrators, of a cybercrime," said Wyden. "These are complex issues involving privacy, digital security and our Fourth Amendment rights, which require thoughtful debate and public vetting."
The rule change will take effect on Dec. 1, 2016 unless Congress takes action to alter the rules. Wyden said he plans to introduce legislation to reverse the rule amendments soon.